A network router includes a set of interface cards to receive packets from a network, and a set of accounting modules to calculate flow statistics for the packets. The router further includes a control unit to adaptively update routing information in response to the calculated flow statistics, and to route the packets in accordance with the routing information. The control unit identifies potentially malicious packet flows for the received packets based on the flow statistics, and applies an intercept filter to intercept the packets of the identified packet flows. The control unit analyzes the intercepted packets in real-time to determine the presence of a network event, and updates the routing information based on the determination, e.g., by terminating routing for packets associated with malicious packet flows. In this manner, the router may adaptively respond to network events, such as network security violations.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A network router comprising: a chassis having a plurality of slots to receive removable cards; a plurality of removable interface cards inserted within the slots to receive packets from a network; a plurality of removable accounting service cards inserted within the slots to calculate statistics for flows of the packets; a plurality of removable packet analysis cards inserted within the slots; and a control unit configured to distribute the packets to the accounting service cards for calculation of the flow statistics prior to analysis by the packet analysis cards, wherein, after calculation of the flow statistics, the control unit intercepts packets for a subset of the flows for which the flow statistics indicate traffic levels exceed a threshold indicative of a potential network attack, wherein the control unit forwards the intercepted packets to the packet analysis cards, wherein the packet analysis cards analyze contents of the intercepted packets to determine the presence of the network attack, and wherein the control unit updates routing information based on the determination of the packet analysis cards and routes the packets in accordance with the routing information.
2. The network router of claim 1 , wherein the network attack comprises a Denial of Service (DOS) attack.
3. The network router of claim 1 , wherein the control unit applies an intercept filter to intercept the packets associated with the identified suspicious packet flows and forwards the intercepted packets to the packet analysis cards.
4. The network router of claim 3 , wherein the control unit updates the intercept filter based on the calculated flow statistics.
5. The network router of claim 1 , wherein the control unit generates a message informing other devices within the network of the network attack.
6. The network router of claim 1 , wherein the control unit updates the routing information to terminate the routing of packets for one or more of the packet flows.
7. The network router of claim 1 , wherein the control unit applies a hash function to each packet to calculate a hash value and distributes each packet to one of the accounting service cards based on the calculated hash values.
8. The network router of claim 1 , wherein the control unit comprises: a routing engine to generate forwarding information in accordance with the routing information; and a forwarding engine to forward the network packets to output ports of the interface cards in accordance with the forwarding information.
9. The network router of claim 1 , wherein the traffic flow statistics comprise one or more of a packet count for each flow, a byte count for each flow, a source IP address for each flow, a destination IP address for each flow, a next hop IP address for each flow, input interface information for each flow, output interface information for each flow, total octets sent for each flow, flow start time, flow end time, source and destination port numbers for each flow, TCP flags for each flow, type of service for each flow, originating autonomous system for each flow, source address prefix mask bits for each flow, or destination address prefix mask bits for each flow.
10. A method comprising: receiving packets from a network via an interface card of a network device; calculating, with the network device, flow statistics for the packets; identifying, with the network device, a set of packet flows for the received packets based on the flow statistics; determining, with the network device, whether a traffic level for each of the packet flows of the received packets exceeds a threshold to identify suspicious packet flows; when the traffic level for one of the packet flows exceeds the threshold, intercepting the packets associated with the identified suspicious packet flows and distributing the intercepted packets to a set of analysis service cards of the network device for real-time traffic analysis; scanning the contents of the intercepted packets via the analysis service cards to detect virus signatures; updating routing information of the network device in response to the scanning; and routing the packets with the network device in accordance with the routing information.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 7, 2007
February 17, 2009
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.